Wi-Fi flaw discovered in 802.11b network protocol

Two security organizations have issued alerts warning of a flaw in wireless LAN equipment based on the 802.11b Wi-Fi standard that leaves the devices vulnerable to a denial-of-service (DoS) jamming attack.

The Australian Computer Emergency Response Team (AusCERT) issued a security alert last Thursday, as did the U.S. Computer Emergency Readiness Team (US-CERT), which warned of the potential threat to wireless networks.

The two organizations, as well as WLAN manufacturers, were notified in November of the flaw, according to Mark Looi, an associate professor at the School of Software Engineering and Data Communications at Queensland University. Three of his Ph.D. students at the Brisbane, Australia-based school -- Christian Wullems, Kevin Tham and Jason Smith -- discovered the flaw.

Since then, Looi said, he and AusCERT have worked with the WLAN manufacturers to find a "mitigation strategy" for the vulnerability before releasing the results of their research. The manufacturers finally concluded that "there are no mitigation strategies available" to rectify the fundamental problem in the 802.11b direct-sequence spread spectrum (DSSS) modulation scheme, Looi said. 802.11b WLANs have a raw data rate of 11Mbit/sec. and operate in the 2.4-GHz frequency band.

The manufacturers indicated that the only solution would be for users to switch to devices using the 802.11a protocol, which uses a different form of modulation than 802.11b, according to Looi.

Last week's security bulletins note that high-speed versions of wireless equipment based on the 802.11g protocol would also be immune to the vulnerability. But only equipment that carries data at speeds above 20Mbit/sec. could be considered safe from the DoS attacks.

"Independent vendors have confirmed that there is currently no defense against this type of attack for DSSS-based WLANs," AusCERT said. "At this time, a comprehensive solution in the form of software or firmware upgrade is not available for retrofit to existing devices. Fundamentally, the issue is inherent in the protocol implementation of IEEE 802.11 DSSS."

James Gillespie, a senior security analyst at AusCERT, said WLAN vendors were given enough time to conduct an investigation of the vulnerability, but he declined to say exactly when industry leaders were notified. AusCERT sent out notification of the flaw through a network operated by the Forum of Incident Response and CERT Teams, which in turn notified country and vendor CERT organizations.

Major WLAN vendors reached today said they are checking on when they first learned of the flaw.

Frank Hanzlik, managing director of the Wi-FI Alliance, an industry trade association in Austin, said his group learned of the flaw only in the past few days. Brian Grimm, a spokesman for the Alliance, said he conducted an informal survey of a half dozen companies, and all said they were unaware of the problem until last week.

Hanzlik dismissed claims in the AusCERT bulletin that the vulnerability reflects a flaw in the 802.11b protocol. "We don't look at this as issue as a flaw in the protocol, but as a general class of DoS attack that all network managers need to be aware of," he said.

He also said that any DoS attack would need to be conducted by sophisticated hackers. But Looi disagreed, saying that the flaw "was very easy to find, and once found, was very easy to exploit" by attacking the Clear Channel Assessment (CCA) procedure in the DSSS protocol.

CCA determines whether a WLAN channel is clear so an 802.11b device can transmit on it. According to the AusCERT bulletin, "an attack against this vulnerability exploits the CCA function at the physical layer and causes all WLAN nodes within range, both clients and access points (AP), to defer transmission of data for the duration of the attack. When under attack, the device behaves as if the channel is always busy, preventing the transmission of any data over the wireless network."

According to AusCERT, an 802.11b jamming attack could be easily launched with inexpensive hardware, and all susceptible devices within the typical 100-to-300-foot range of a WLAN are vulnerable. "The range of a successful attack can be greatly improved by an increase in the transmission power of the attacking device, and the use of high-gain antennae," AusCERT said.

Warren Chaisatien, an analyst at IDC Australia in North Sydney, said it's "totally unbelievable" that wireless equipment manufacturers did not issue an early warning to users about the flaw, given the booming Wi-Fi market, which ships millions of WLAN chips, access points and client devices a month. Atheros Communications Inc. in Sunnyvale, Calif., said its shipments of combined 802.11b/g and 802.11a/b/g chips broke the 1 million mark last summer.

In its bulletin, US-CERT said that any 802.11 DSSS device, including wireless network cards and access points, is vulnerable. US-CERT added that encryption would not prevent an attack and posted a list of vendors whose products are vulnerable. That list reads like a who's who of networking and computer companies, including 3Com Corp., Alcatel SA, Apple Computer Inc., Cisco Systems Inc., D-Link Corp., Extreme Networks Inc., Hewlett-Packard Co., IBM, Motorola Inc., Nortel Networks Ltd. and Linksys Group Inc., a subsidiary of Cisco,

The US-CERT bulletin said the CCA algorithm is vulnerable to a jamming type of attack "in which a specially crafted RF signal will cause the algorithm to conclude that the channel is busy, so that no device in range of the signal will transmit data."

Any industry or government organization using 802.11b WLANs for critical processes should be aware of the potential vulnerabilities, Looi told Computerworld Australia. "This wireless technology should not be used for any critical applications, as the results could potentially be very serious," he said. Any organization that continues to use 802.11b WLANs to operate critical infrastructure "could be considered negligent," he added.

Looi said WLAN devices based the 802.11a protocol, which provides a raw data rate of 54Mbit/sec. in the 5-GHz band, are not vulnerable to this kind of jamming attack, since they use a different modulation scheme, known as orthogonal frequency division multiplexing (OFDM).

802.11g devices, which have a maximum raw data rate of 54Mbit/sec. in the 2.4-GHz band, are also vulnerable when they operate at a data rate of 20Mbit/sec. or below. At those speeds, 802.11g devices use DSSS. At higher speeds, 802.11g devices operate with OFDM and are not vulnerable to attack. Looi said, however, that he is concerned that a similar flaw could yet be found in the OFDM protocol.

Officials at United Parcel Service Inc., which operates 802.11b Wi-Fi networks at 2,000 hubs and sorting facilities worldwide, said they are looking into the issue. "It is of concern to UPS," said Donna Barrett, a UPS spokeswoman.

She said UPS, which has one of the largest enterprise deployments of the technology in the world and plans to equip its drivers worldwide with handheld Wi-Fi computers, has contacted its Wi-Fi vendor, Holtsville, N.Y.-based Symbol Technologies Inc., and is "awaiting their input on this issue." Symbol officials could not be reached for comment today.

UPS also views a switch to 802.11a hardware as a remedy as "unacceptable," Barrett said.

Looi said the Institute of Electrical and Electronics Engineers Inc. plans to publish his students' paper this week on 802.11b vulnerabilities but will not include details that could facilitate an attack. But "it would not be hard" for others to discover the weakness and write their own algorithm, he said.

The short range of 802.11b WLAN devices could reduce the potential for exploiting the vulnerability, according James Gillespie, a senior security analyst at AusCERT. Unlike an Internet-based hack, the 802.11b flaw can only are exploited locally. Gillespie said, "We are not expecting widespread or prolonged attacks" because WLANs "are hard to target."

"I don't view this as a serious problem," said Craig Mathias, an analyst at FarPoint Group in Ashland, Mass. "Someone has to want to initiate a wireless DoS attack, (and) I've never seen one or heard of one in a public space -- although they are clearly possible.

"It's been well known for some time that a high-power jam could interrupt a Wi-Fi or any unlicensed network, and much more effectively than the technique" discovered at Queensland University.

Mathias recommended that all users employ tri-mode 802.11a/b/g networks, which would mitigate the 802.11b vulnerability by providing alternatives. He said any attack could also be managed by radio frequency spectrum management tools, which would pinpoint the jammed channel and allow for dynamic channel reassignment.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.